aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2010-03-19 22:25:39 +0000
committerplegall <plg@piwigo.org>2010-03-19 22:25:39 +0000
commitc695136e4d75695178a9fc848a7cf6bfa2b9346c (patch)
treeefba21de4995d7bd6b2f792e6d118a8e6e6bd405 /include
parentff7e537e2b4bceaef241096a377d12af4b917c43 (diff)
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring on this feature to make the code simpler and easier to maintain (I hope). git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/constants.php3
-rw-r--r--include/functions.inc.php82
-rw-r--r--include/functions_comment.inc.php55
-rw-r--r--include/functions_user.inc.php39
-rw-r--r--include/picture_comment.inc.php44
5 files changed, 185 insertions, 38 deletions
diff --git a/include/constants.php b/include/constants.php
index ea5378e94..69b746474 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -40,6 +40,9 @@ define('ACCESS_ADMINISTRATOR', 3);
define('ACCESS_WEBMASTER', 4);
define('ACCESS_CLOSED', 5);
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
+
// Table names
if (!defined('CATEGORIES_TABLE'))
define('CATEGORIES_TABLE', $prefixeTable.'categories');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 91738090f..092fe15a4 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1482,4 +1482,86 @@ function get_icon($date, $is_child_date = false)
return $cache['get_icon'][$date] ? $icon : array();
}
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token
+ */
+function check_pwg_token()
+{
+ $valid_token = get_pwg_token();
+ $given_token = null;
+
+ if (!empty($_POST['pwg_token']))
+ {
+ $given_token = $_POST['pwg_token'];
+ }
+ elseif (!empty($_GET['pwg_token']))
+ {
+ $given_token = $_GET['pwg_token'];
+ }
+ if ($given_token != $valid_token)
+ {
+ access_denied();
+ }
+}
+
+function get_pwg_token()
+{
+ global $conf;
+
+ return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param array param_array
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_array, $is_array, $pattern)
+{
+ $param_value = null;
+ if (isset($param_array[$param_name]))
+ {
+ $param_value = $param_array[$param_name];
+ }
+
+ // it's ok if the input parameter is null
+ if (empty($param_value))
+ {
+ return true;
+ }
+
+ if ($is_array)
+ {
+ if (!is_array($param_value))
+ {
+ fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+ }
+
+ foreach ($param_value as $item_to_check)
+ {
+ if (!preg_match($pattern, $item_to_check))
+ {
+ fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+ }
+ }
+ }
+ else
+ {
+ if (!preg_match($pattern, $param_value))
+ {
+ fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+ }
+ }
+}
?> \ No newline at end of file
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index a35c8ad60..0fadeb1f2 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -170,28 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
$comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
- if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
- ($comment_action!='validate' and $conf['email_admin_on_comment_validation']))
+ if ($conf['email_admin_on_comment']
+ or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
{
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
- $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
+ $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
$keyargs_content = array
(
get_l10n_args('Author: %s', stripslashes($comm['author']) ),
get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
get_l10n_args('', ''),
- get_l10n_args('Delete: %s', $del_url)
+ get_l10n_args('Manage this user comment: %s', $comment_url)
);
- if ($comment_action!='validate')
+ if ('moderate' == $comment_action)
{
- $keyargs_content[] =
- get_l10n_args('', '');
- $keyargs_content[] =
- get_l10n_args('Validate: %s',
- get_absolute_root_url().'comments.php?validate='.$comm['id']);
+ $keyargs_content[] = get_l10n_args('', '');
+ $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
}
pwg_mail_notification_admins
@@ -212,7 +209,6 @@ INSERT INTO '.COMMENTS_TABLE.'
*
* @param comment_id
*/
-
function delete_user_comment($comment_id) {
$user_where_clause = '';
if (!is_admin())
@@ -337,4 +333,41 @@ function email_admin($action, $comment)
$keyargs_content
);
}
+
+function get_comment_author_id($comment_id, $die_on_error=true)
+{
+ $query = '
+SELECT
+ author_id
+ FROM '.COMMENTS_TABLE.'
+ WHERE id = '.$comment_id.'
+;';
+ $result = pwg_query($query);
+ if (pwg_db_num_rows($result) == 0)
+ {
+ if ($die_on_error)
+ {
+ fatal_error('Unknown comment identifier');
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+ list($author_id) = pwg_db_fetch_row($result);
+
+ return $author_id;
+}
+
+function validate_user_comment($comment_id)
+{
+ $query = '
+UPDATE '.COMMENTS_TABLE.'
+ SET validated = "true"
+ , validation_date = NOW()
+ WHERE id = '.$comment_id.'
+;';
+ pwg_query($query);
+}
?> \ No newline at end of file
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index f3eb0b172..4488294f7 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1246,19 +1246,44 @@ function is_adviser()
}
/*
- * Return if current user can edit/delete a comment
- * @param action edit/delete
+ * Return if current user can edit/delete/validate a comment
+ * @param action edit/delete/validate
* @return bool
*/
function can_manage_comment($action, $comment_author_id)
{
- if (!in_array($action, array('delete','edit'))) {
+ global $user, $conf;
+
+ if (is_a_guest())
+ {
+ return false;
+ }
+
+ if (!in_array($action, array('delete','edit', 'validate')))
+ {
return false;
}
- return (is_admin() ||
- (($GLOBALS['user']['id'] == $comment_author_id)
- && !is_a_guest()
- && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
+
+ if (is_admin())
+ {
+ return true;
+ }
+
+ if ('edit' == $action and $conf['user_can_edit_comment'])
+ {
+ if ($comment_author_id == $user['id']) {
+ return true;
+ }
+ }
+
+ if ('delete' == $action and $conf['user_can_delete_comment'])
+ {
+ if ($comment_author_id == $user['id']) {
+ return true;
+ }
+ }
+
+ return false;
}
/*
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index 35f686453..439546329 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -166,23 +166,25 @@ $validated_clause.'
if (can_manage_comment('delete', $row['author_id']))
{
- $tpl_comment['U_DELETE'] =
- add_url_params($url_self,
- array(
- 'action'=>'delete_comment',
- 'comment_to_delete'=>$row['id']
- )
- );
+ $tpl_comment['U_DELETE'] = add_url_params(
+ $url_self,
+ array(
+ 'action'=>'delete_comment',
+ 'comment_to_delete'=>$row['id'],
+ 'pwg_token' => get_pwg_token(),
+ )
+ );
}
if (can_manage_comment('edit', $row['author_id']))
{
- $tpl_comment['U_EDIT'] =
- add_url_params($url_self,
- array(
- 'action'=>'edit_comment',
- 'comment_to_edit'=>$row['id']
- )
- );
+ $tpl_comment['U_EDIT'] = add_url_params(
+ $url_self,
+ array(
+ 'action'=>'edit_comment',
+ 'comment_to_edit'=>$row['id'],
+ 'pwg_token' => get_pwg_token(),
+ )
+ );
if (isset($edit_comment) and ($row['id'] == $edit_comment))
{
$tpl_comment['IN_EDIT'] = true;
@@ -195,12 +197,14 @@ $validated_clause.'
{
if ($row['validated'] != 'true')
{
- $tpl_comment['U_VALIDATE'] =
- add_url_params($url_self,
- array('action' => 'validate_comment',
- 'comment_to_validate' => $row['id']
- )
- );
+ $tpl_comment['U_VALIDATE'] = add_url_params(
+ $url_self,
+ array(
+ 'action' => 'validate_comment',
+ 'comment_to_validate' => $row['id'],
+ 'pwg_token' => get_pwg_token(),
+ )
+ );
}
}
$template->append('comments', $tpl_comment);